﻿using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlServerCe;


namespace OWASP.DotNetGoat
{
    public partial class ReflectedXSS : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            if (Request["id"] == null)
                RefreshListings();
            else
                DisplayMessage();
        }


        void RefreshListings()
        {
            string output = "";
            string connectionString = System.Configuration.ConfigurationManager.ConnectionStrings["sqlCEConnString"].ToString();
            SqlCeConnection cn = new SqlCeConnection(connectionString);
            cn.Open();
            SqlCeCommand cmd = new SqlCeCommand("select * from Postings", cn);
            SqlCeDataReader dr = cmd.ExecuteReader();
            while (dr.Read())
            {
                output += "<a href='" + Request.Path + "?id=" + dr["PostingID"] + "'>" + dr["Title"] + "</a><br/>";
            }
            lblOutput.Text = output;
        }
        void DisplayMessage()
        {
            if (Request["id"] != null)
            {
                try
                {
                    int id = int.Parse(Request["id"]);
                    DatabaseUtilities du = new DatabaseUtilities();
                    DataSet ds = du.GetPostingByID(id);
                    dtlView.DataSource = ds;
                    dtlView.DataBind();
                    RefreshListings();
                }
                catch (Exception ex)
                {
                    lblOutput.Text = "Record " + Request["id"] + " not found";
                }

            }
        }
    }
}